IIoT security requires a holistic approach

Enhanced intelligence and fast delivery are key drivers for further investment in IIoT, but as the technology is still in relative infancy, security is a rising concern as more objects communicate with each other via the Internet.

Enhanced intelligence and fast delivery are key drivers for further investment in the Industrial Internet of Things (IIoT), but as the technology is still in relative infancy, security is a rising concern and a holistic approach is needed by companies to address these issues. Equipment such as sensors, gateways, processors and actuators continuously evolve, communicating with each other via the Internet. Due to this fact, the Internet of Things (IoT) and the Industrial Internet of Things are quickly becoming a business reality within various industrial sectors.

Currently, the IIoT is increasingly closing the gap between information technology (IT) and operational technology (OT), meaning companies have access to real-time critical data in a cost-effective manner. Enhanced intelligence and fast delivery are key drivers for further investment in IIoT, but as the technology is still in relative infancy, security is a rising concern and a holistic approach is needed by companies to address these issues.

Built-in security

IIoT security requirements are currently in their early stages, as many suppliers’ primary focus remains on the innovative nature and functionality of a product. Security has therefore not been on the agenda of many smart device manufacturers for some time.

That mindset has led to IIoT devices suffering exposure to a wide range of risks. Such risks include distributed denial of service (DDoS) attacks and hackers manipulating data and process values. The potential ramifications of a breached industrial environment go far beyond the boundaries of cyberspace, making it an even greater threat than those seen in traditional IoT networks. This is reflected in the impact on physical processes, as disruption of these can lead to serious consequences such as tripping a plant, overfilling a tank and the release of gas or chemicals. Even more disturbingly, this can result in fatalities, injuries and damage to assets or the environment.

The emergence of IIoT has led to increasing needs and adoption of Internet-enabled devices from various industries. The initial attacks and vulnerabilities discovered should act as a real eye-opener for businesses. These attacks demonstrate the financial and reputational consequences of security not being taken seriously and should also be seen as a wakeup call for industries to address security throughout the lifecycle of these devices. Vendors and suppliers looking to implement security into industrial products from the outset should look at the available security frameworks, such as those from the Industrial Internet Consortium (IIC).

Holistic security approach

Security should be a holistic process, which means the security of a device should be addressed from the initial phase of a project or initiative. Having the right security requirements as part of the contract and procurement process is hugely important to ensure the supply chain is well controlled. Selecting a product based on the business and technical requirements, backed by the security assessment of the device, is essential to understand a product’s limitations and shortcomings.

With that in mind, businesses can take proactive countermeasures to mitigate risks and function without fear of security-related downtime. This process goes even further once a product is in production to ensure all controls are in place to protect the asset from unauthorized access or tampering. This is an ongoing function that can be supported by technical and procedural controls.

Furthermore, understanding the supply chain and product ecosystem is a complex requirement, entailing a considerable amount of testing. A lot of work can be done to identify physical and logical threats, including testing the embedded security and the integrity of firmware. This can be supported by the review of the secure development lifecycle (SDLC) and application and protocol layers, as well as static code analysis. It is imperative that businesses understand that security should not be considered as an additional function of industrial products, rather it should be thought of as a critical business process to prevent cyberattacks.

Jalal Bouhdada is the founder and principal ICS security consultant for Applied Risk. He has over 15 years of experience in industrial control systems (ICS) security assessment, design and deployment with a focus on process control domain and industrial IT security. This content originally appeared on ISSSource.com. ISSSource is a CFE Media content partner. Edited by Chris Vavra, production editor, CFE Media, Control Engineering, cvavra@cfemedia.com.